This site has been deprecated in favor of and will remain in place until 11/1/22.

Graphical User Interface

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

Graphical User Interface
ID T0823
Tactic Execution
Data Sources Network Traffic: Network Traffic Flow, Network Traffic: Network Traffic Content, Process: Process Creation
Asset Human-Machine Interface


Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

In the Oldsmar water treatment attack, adversaries utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.1

Procedure Examples

  • In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.2